From debbugs-submit-bounces@debbugs.gnu.org Mon Jul 24 14:57:59 2017 Received: (at submit) by debbugs.gnu.org; 24 Jul 2017 18:57:59 +0000 Received: from localhost ([127.0.0.1]:54668 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dZiYJ-0006x3-6j for submit@debbugs.gnu.org; Mon, 24 Jul 2017 14:57:59 -0400 Received: from eggs.gnu.org ([208.118.235.92]:36732) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dZiYH-0006wq-VO for submit@debbugs.gnu.org; Mon, 24 Jul 2017 14:57:58 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dZiYB-000594-T1 for submit@debbugs.gnu.org; Mon, 24 Jul 2017 14:57:52 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_00,SUBJ_ALL_CAPS, T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:50969) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dZiYB-00058y-PC for submit@debbugs.gnu.org; Mon, 24 Jul 2017 14:57:51 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:55935) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dZiYA-0008J8-Kx for bug-guix@gnu.org; Mon, 24 Jul 2017 14:57:51 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dZiY6-00057w-Of for bug-guix@gnu.org; Mon, 24 Jul 2017 14:57:50 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:40127) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dZiY6-00057J-2B for bug-guix@gnu.org; Mon, 24 Jul 2017 14:57:46 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 41F8E2243C; Mon, 24 Jul 2017 14:57:45 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Mon, 24 Jul 2017 14:57:45 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=content-type:date:from:message-id:mime-version:subject:to :x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=YQD J6b5F46EUiMPVgnbz3SzVsYApe76Ar+ScZPT+exs=; b=Km+CdiFXncl5PlhxysK Nc7LbQqKD1gksNlpk2EntqWGaHx8NrEmAldZul4j/PsTmQuOn0VaR8I/uQUOqGkt fCH38X3z9v3bwiuA8vEp9MMjvLRYSiKR36iSCM3qDDpfTJtqJ/iFr+6R/uK+t71F 8h4OAhsLEEkzKaDZs5FH/I24= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=fm1; bh=YQDJ6b5F46EUiMPVgnbz3SzVsYApe76Ar+ScZPT+e xs=; b=UdajGBe5I2Getbc+DQKRW99epEW+/nb022GMQkMg9RsSonx7J239etq2u MPoQ4nKw+30RFL+y9i6+6zVtyn/JoQ7xDfS0V/Z6Woa/Y1CxQmpZ4OokWIDYupFN DUFJKVO9vOKuQNK1TePly2FGBlvMA5Q+SxHfMobJNGjY9gSuFyqEdKXxX/vUbk6u TN+B3H43IFc9BEqWVc2NNjXwQKkjvLuUAQDShBcSsLJoZka1O8YJyYEAK0OXmDV8 OQFyS6Ld6t0RBbEmt9zEtMx5zkMxrpSHcdgz7xg/FgM/+/iQxpR4mbrwwc5Z/lQy Lfp6eNx2XedbZbm5kE7MzOrV/MwxA== X-ME-Sender: X-Sasl-enc: l39okwTZHiGjh0UHSZDFrfBrKGsALzMy993YLqJ5nwdZ 1500922665 Received: from localhost (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70]) by mail.messagingengine.com (Postfix) with ESMTPA id 03CB27E2DE for ; Mon, 24 Jul 2017 14:57:44 -0400 (EDT) Date: Mon, 24 Jul 2017 14:57:44 -0400 From: Leo Famulari To: bug-guix@gnu.org Subject: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362 Message-ID: <20170724185744.GA4997@jasmine.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="J2SCkAp4GZ/dPZZf" Content-Disposition: inline User-Agent: Mutt/1.8.3 (2017-05-23) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -5.2 (-----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.2 (-----) --J2SCkAp4GZ/dPZZf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Apparently our PHP package is vulnerable to CVE-2017-11144, CVE-2017-11145, and CVE-2017-11362: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11144 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11145 This one looks especially bad: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11362 Can someone please take a look at this? --J2SCkAp4GZ/dPZZf Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAll2QyQACgkQJkb6MLrK fwib1Q/6AvhmCk96bwJY9x9xI4vu9iTV7abi0nN2aKWtERlQpRWMCU6d1RKhPz67 OQtT8XYB2mmvuPRl5lk3QT0Bl0+LeLBkhE2jyP0zGMoNVLqatDb4PhuBh+JmyF65 MJd+AJ+Vqy5jV6PIPVK1LbwTSuFegF1BzEpvKyn2PkXvH//dsF+7PxL6rP39qsId gkbH4Xce7Ou7zCvJDBZ4C9JOuhLDxZiUQO99EVCMMubmVatNeB/nNlg6mugapLmV KWdRUjD2+jLNmjLeRGyCyzr0/bbt1RvHpcCHopKh6iOnDpjMtoajJXvLseAgpPJp Ck2p36fjBAdX9U1zAlKdLdMjAZNRJvtPL47zOBsXlfzFYsOghmBPhIUvVA6tycTo cNYGdjfM92UvSQs0SP30HsxruHsIHYZmx7GYM/BsiiwiOX+R7bsGrPY4jIo4hABs CJpkyEsI7oR1xp8CyuYyibA6NCnq7zFIBhbK6FAho0/SXbGHWlY6eJL/X15SiduJ TTJFKM8+YDxvGmExd/1oAIgNH+39Ck0siaI7zlU7v3SXSD9fMVTji23UdMnVTY/E OYZRgs5IMAeP6N7TUIePC7bfAB+1JsJrRpWz3CTpuxdcMXZRpKA95o0CgbJ/X7y+ Vi934pZF12NRi7t+Wuv8jCEg3PzF/ujXLTaBIvByMpcrcooWl8A= =WEg8 -----END PGP SIGNATURE----- --J2SCkAp4GZ/dPZZf--